mod_websocket: Clone stanza before mutating (fixes #1398) Checking for `stanza.attr.xmlns == nil` to determine if the stanza object is an actual stanza (`<message>`, `<presence>` or `<iq>` in the `jabber:client` or `jabbber:server` namespace) or some other stream element. Since this mutation is not reverted, it may leak to other places and cause them to mistreat stanzas as stream elements. Especially in cases like MUC where a single stanza is broadcast to many recipients.

author: Kim Alvefur <zash@zash.se>
date: Sat, 20 Jul 2019 04:19:58 +0200
parent: 9805:7bfc4269dc36
child: 10097:1f45d316b222
child: 10581:10d6d0d91f4e
--- a/plugins/mod_websocket.lua	Mon Jul 08 02:46:27 2019 +0200
+++ b/plugins/mod_websocket.lua	Sat Jul 20 04:19:58 2019 +0200
@@ -285,6 +285,7 @@
 	end);
 
 	add_filter(session, "stanzas/out", function(stanza)
+		stanza = st.clone(stanza);
 		local attr = stanza.attr;
 		attr.xmlns = attr.xmlns or xmlns_client;
 		if stanza.name:find("^stream:") then
author	Kim Alvefur <zash@zash.se>
date	Sat, 20 Jul 2019 04:19:58 +0200
parent	9805:7bfc4269dc36
child	10097:1f45d316b222
child	10581:10d6d0d91f4e